Need some help setting up encrypted folder - 13.1

Currently running 13.1/KDE 4.12.0

I would like to set up an encrypted folder at /home/user/crypt_folder for storing important private information.
I don’t want it to automatically mount at boot or user log in, rather have user be forced to manually mount it AND be able to unmount it while still logged in.

Using a a container file and loop device seems like the way to go, but my attempts so far end up with an auto mounted folder(at boot), owned by root that I cannot figure out how to unmount. Issuing umount path-to-folder as root fails,* path-to-folder *not mounted. Indeed, I see no entry in /etc/mtab for the folder.
I used YAST-Partitioner to set up the crypto device.

Any pointers to How-Tos or well established procedures would be appreciated.
Thanks

On 2014-01-11 15:16, cmcgrath5035 wrote:

> Using a a container file and loop device seems like the way to go, but
> my attempts so far end up with an auto mounted folder(at boot),

That is controlled by an option. This is my setup:


> minas-tirith:~ # cat /etc/crypttab
>
>
> cr_sysdta       /home/_var_data/data.crf        none    noauto
> minas-tirith:~ # grep cr_sysdta /etc/fstab
> /dev/mapper/cr_sysdta   /data/cripta    reiserfs        noatime,noauto,nofail,barrier=flush     1 3
> minas-tirith:~ #


The “noauto” option in crypttab is the trick. “nouto,nofail” in fstab
appear to be also necesary.

owned by
root that I cannot figure out how to unmount. Issuing umount
-path-to-folder- as root fails,

What error? Please post the command and result here.

It works for me:


minas-tirith:~ # umount /data/cripta
minas-tirith:~ # mount /data/cripta
minas-tirith:~ # ls /data/cripta
cer
minas-tirith:~ #

however, notice that “umount” only umounts the device, but the encrypted
device is still available. To remove that part you need:


cryptsetup remove $CR_NAME

There is a systemd service that does it all:


minas-tirith:~ # systemctl status /data/cripta
data-cripta.mount - /data/cripta
Loaded: loaded (/etc/fstab)
Active: active (mounted) since Sat 2014-01-11 16:13:23 CET; 3min 54s ago
Where: /data/cripta
What: /dev/mapper/cr_sysdta

minas-tirith:~ #

But I do not use it. Instead, I wrote my own set of scripts.

But you have to mount it as root. Probably using sudo (properly
configured) you could do it as user.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

A properly configured sudo allows the user to “become root” for that particular occasion. The mount itself is still done by root (a process owned by user 0). Not by the user.

Thanks for the examples - no time right at the moment but I’ll tackle it your way later.

To answer your questions:
HOW I GOT HERE:
I used YAST-Partitioner to add a Crypt container, selected the “create loop file” option.
The loop file is /home/carl/srv2
I selected that it be mounted to folder /home/carl/srvc

On boot, the folder /home/carl/srvc is available.
As root, I created a testfile, then changed the permissions to carl:users

/home/carl # ls -la s*
-rw-r--r-- 1 root root 4294967296 Jan 11 07:06 srv2

srvc:
total 20
drwxr-xr-x   2 root root   4096 Jan 11 07:16 .
drwxr-xr-x 119 carl users 12288 Jan 11 09:32 ..
-rw-r--r--   1 carl users    96 Jan 11 07:16 testfile
/home/carl # cat /etc/crypttab
  
cr_srv2         /home/carl/srv2      none       noauto

/home/carl # grep srv2 /etc/fstab
/home/carl/srv2      /home/carl/srv2      crypt      loop,user,noauto,acl,user_xattr,nofail 0 0

/home/carl # grep srv2 /etc/mtab
/home/carl # 

/home/carl # umount /home/carl/srv2
umount: /home/carl/srv2: not mounted

I see that Carlos is using device mapper.
I clearly don’t understand loop files, but apparently it is not “mounted” (no entry in /etc/mtab) therefore can’t be “umounted”.

I am of the understanding (reading man mount) that the “user” option in /etc/fstab will allow a regular user to mount a designated filesystem

If you are willing for the encrypted folder to be named “/home/user/Private”, then the easiest way to do this would be with “ecryptfs”.

First install ecryptfs-utils (from the standard repos).

In my experience, it helps to then do (at the command line)


sudo modprobe ecryptfs

Without that I sometimes see errors on the first setup.

Then, as the user, run the command:


/usr/bin/ecryptfs-setup-private

It will prompt you for your login password. However, you can lie, and give it a different password if you don’t want the folder automatically decrypted at login.

Thereafter, to make the folder available, use the command


ecryptfs-mount-private

This will again ask for the login password. Instead, provide the password you used for setup.

To unmount,


ecryptfs-umount-private

Except for that initial “modprobe”, everything can be done without root access. And no change is needed to “fstab”.

NO it allows a user to use the mounted file system r/w but only root can mount a file system

On 01/11/2014 12:16 PM, gogalthorp wrote:
>
> NO it allows a user to use the mounted file system r/w but only root can
> mount a file system

If you use the “user” option in /etc/fstab, then anyone can mount the file system.

Here is what I read in man fstab(5)

.......
The fourth field (fs_mntops).
              This field describes the mount options associated with the filesystem.

              It is formatted as a comma separated list of options.  It contains at least the type of mount plus any  additional  options
              appropriate  to  the filesystem type. For documentation on the available mount options, see mount(8).  For documentation on
              the available swap options, see swapon(8).

              Basic file system independent options are:

              defaults
                     use default options: rw, suid, dev, exec, auto, nouser, and async.

              noauto do not mount when "mount -a" is given (e.g., at boot time)

              **user   allow a user to mount**

              owner  allow device owner to mount

              comment
                     or x-<name> for use by fstab-maintaining programs

              nofail do not report errors for this device if it does not exist.



......


Similar text in man mount(8)

Are you sure?

nrickert:
Thanks, I had browsed encryptfs, might give that a go as well.
I was sort of looking for the method that required the fewest “unique” commands once the capability was set up.

It is not very interesting how your process “becomes root”. But only a process that runs with ownrr root (uid-0) is able to sucessfuly ask the kernel to do a mount.

The mount tool:

henk@boven:~> ls -l $(which mount)
-rwsr-xr-x 1 root root 40112  5 nov  2012 /usr/bin/mount
henk@boven:~>

Which shows that this program is owned by root and that the SUID bit is set. That means that, whoever starts it, the process will be run owned by root.

Now, hopefully, this tool is programmed in such a waty that it does allow only secure and documented things. One of those things is apparently that it looks in /etc/fstab to find an entry that fits with the request. Then, when there is the option “user” in that entry, it will “do the mount”. When that option is not there, it will check if the original user (not the process owner) is root. When no, it will not mount.

But the mount will only be done by the kernel if it is asked for by a root owned process. That is basic security.

I know we all tend to use these terms like “become root”, “be root”, “as root”, etc. rather loosely, but that habit does not contribute to the understanding of how things work.

And to make things easy for myself, I found a rather good description on how effective and real UIDs tohether with SUID programs work here: http://www.lst.de/~okir/blackhats/node23.html

On 2014-01-11 16:46, hcvv wrote:
>
> robin_listas;2615112 Wrote:
>>
>> But you have to mount it as root. Probably using sudo (properly
>> configured) you could do it as user.
>>
> A properly configured sudo allows the user to “become root” for that
> particular occasion. The mount itself is still done by root (a process
> owned by user 0). Not by the user.

Of course, of course. But the user can do that with his own password,
not root’s password.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

On 2014-01-11 20:06, cmcgrath5035 wrote:
>
> gogalthorp;2615135 Wrote:
>> NO it allows a user to use the mounted file system r/w but only root can
>> mount a file system

Yes, a user can mount a filesystem, IF the appropriate entry is in
fstab. Correct.

But before that you have to create the unencripted pseudo device, and I
don’t know if you can do as plain user.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

On 2014-01-11 18:46, cmcgrath5035 wrote:
>
> Thanks for the examples - no time right at the moment but I’ll tackle it
> your way later.
>
> To answer your questions:
> HOW I GOT HERE:
> I used YAST-Partitioner to add a Crypt container, selected the “create
> loop file” option.
> The loop file is /home/carl/srv2

I call that the “image” file. The loop device will be under /dev, and is
automatically selected.

> Code:
> --------------------
> /home/carl # cat /etc/crypttab
>
> cr_srv2 /home/carl/srv2 none noauto
>
> /home/carl # grep srv2 /etc/fstab
> /home/carl/srv2 /home/carl/srv2 crypt loop,user,noauto,acl,user_xattr,nofail 0 0
>
> /home/carl # grep srv2 /etc/mtab
> /home/carl #
>
> /home/carl # umount /home/carl/srv2
> umount: /home/carl/srv2: not mounted
> --------------------
>
>
> I see that Carlos is using device mapper.

Yes, that’s the method that YaST used for me.

I’m not familiar with the method you are using above. Did YaST create
those points, or did you?

> I am of the understanding (reading man mount) that the “user” option in
> /etc/fstab will allow a regular user to mount a designated filesystem

You have to add the entry “user” on the fstab line.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

On 2014-01-11 18:46, cmcgrath5035 wrote:

> Code:
> --------------------
> /home/carl # cat /etc/crypttab
>
> cr_srv2 /home/carl/srv2 none noauto
>
> /home/carl # grep srv2 /etc/fstab
> /home/carl/srv2 /home/carl/srv2 crypt loop,user,noauto,acl,user_xattr,nofail 0 0
>
> /home/carl # grep srv2 /etc/mtab
> /home/carl #
>
> /home/carl # umount /home/carl/srv2
> umount: /home/carl/srv2: not mounted
> --------------------

Well, it is not mounted, You have to mount it first.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

So, I read your answer “Well,it is not mounted…” and though about it a while, then realized I had created my testfile in the unencrypted directory /home/carl/srvc which would be the mount point for the encrypted filesystem image. Seeing that file mislead me into thinking it was already mounted.

Oops, sorry about that!

I went back to Carlos’ example in #2 and read enough man pages to understand the error in my ways.

Carlos - in answer to your question, the YAST-Partitioner assigned the points cr_srv2 and loop0. I had selected the “Create loop file” checkbox.

Following Carlos’ example, I edited the entry in /etc/crypttab to “noauto” so that the image file would not be opened on boot.

What follows is the sequence of commands to mount the encrypted file system image in /home/carl/srv2 at mount point /home/carl/srvc after reboot.

 # cryptsetup open /dev/loop0 /home/carl/srv2
>>>> I decided to try the systemd service to do the mount# systemctl start /home/carl/srvc
Job for home-carl-srvc.mount failed. See 'systemctl status home-carl-srvc.mount' and 'journalctl -xn' for details.
PVE-LinuxSRV5:/home/carl # systemctl status /home/carl/srvc
home-carl-srvc.mount - /home/carl/srvc
   Loaded: loaded (/etc/fstab)
   Active: failed (Result: exit-code) since Sun 2014-01-12 07:31:21 EST; 46s ago
    Where: /home/carl/srvc
     What: /home/carl/srv2
  Process: 6554 ExecMount=/bin/mount /home/carl/srv2 /home/carl/srvc -t crypt -o loop,user,noauto,acl,nofail (code=exited, status=1/FAILURE)

Jan 12 07:31:20 PVE-LinuxSRV5 systemd[1]: Mounting /home/carl/srvc...
Jan 12 07:31:20 PVE-LinuxSRV5 systemd[1]: home-carl-srvc.mount: Directory /home/carl/srvc to mount over is not empty, mounting anyway.
Jan 12 07:31:20 PVE-LinuxSRV5 mount[6554]: NOTE: mount.crypt does not support utab (systems with no mtab or read-only mtab) yet. Th...ounted.
Jan 12 07:31:21 PVE-LinuxSRV5 mount[6554]: Password: crypt_activate_by_passphrase: Operation not permitted
Jan 12 07:31:21 PVE-LinuxSRV5 systemd[1]: home-carl-srvc.mount mount process exited, code=exited status=1
Jan 12 07:31:21 PVE-LinuxSRV5 systemd[1]: Failed to mount /home/carl/srvc.
Jan 12 07:31:21 PVE-LinuxSRV5 systemd[1]: Unit home-carl-srvc.mount entered failed state.
Hint: Some lines were ellipsized, use -l to show in full. 

>>>>> It failed - does not support interactive entry of passphrase
# mount /home/carl/srvc
NOTE: mount.crypt does not support utab (systems with no mtab or read-only mtab) yet. This means that you will temporarily need to call umount.crypt(8) rather than umount(8) to get crypto volumes unmounted.
Password: 
>>>>>At this point, after entering the encryption passphrase, the encrypted file system is accessible in Dolphin

>>>>>Below - display some info
# cat /etc/crypttab
cr_srv2         /home/carl/srv2      none       noauto
# grep srvc /etc/fstab
/home/carl/srv2      /home/carl/srvc      crypt      loop,user,noauto,acl,nofail 0 0
# grep srvc /etc/mtab
/dev/mapper/_dev_loop0 /home/carl/srvc ext4 rw,nosuid,nodev,noexec,relatime,data=ordered 0 0
# systemctl status -l  /home/carl/srvc
home-carl-srvc.mount - /home/carl/srvc
   Loaded: loaded (/etc/fstab)
   Active: active (mounted) (Result: exit-code) since Sun 2014-01-12 07:34:52 EST; 42min ago
    Where: /home/carl/srvc
     What: /dev/mapper/_dev_loop0
  Process: 6554 ExecMount=/bin/mount /home/carl/srv2 /home/carl/srvc -t crypt -o loop,user,noauto,acl,nofail (code=exited, status=1/FAILURE)
>>>> this error message seems left over from the failed attempt to mount via the service.
>>>> The current status, mounted, is correct.

Thanks for the examples and dialog - a worthwhile learning experience.

On 2014-01-12 14:56, cmcgrath5035 wrote:

> So, I read your answer “Well,it is not mounted…” and though about it
> a while, then realized I had created my testfile in the unencrypted
> directory /home/carl/srvc which would be the mount point for the
> encrypted filesystem image. Seeing that file mislead me into thinking it
> was already mounted.
>
> Oops, sorry about that!
>
> I went back to Carlos’ example in #2 and read enough man pages to
> understand the error in my ways.
>
> Carlos - in answer to your question, the YAST-Partitioner assigned the
> points cr_srv2 and loop0. I had selected the “Create loop file”
> checkbox.
>
> Following Carlos’ example, I edited the entry in /etc/crypttab to
> “noauto” so that the image file would not be opened on boot.
>
> What follows is the sequence of commands to mount the encrypted file
> system image in /home/carl/srv2 at mount point /home/carl/srvc after
> reboot.
>
> Code:
> --------------------
> # cryptsetup open /dev/loop0 /home/carl/srv2
> >>>> I decided to try the systemd service to do the mount
> # systemctl start /home/carl/srvc
> Job for home-carl-srvc.mount failed. See ‘systemctl status home-carl-srvc.mount’ and ‘journalctl -xn’ for details.
> PVE-LinuxSRV5:/home/carl # systemctl status /home/carl/srvc
> home-carl-srvc.mount - /home/carl/srvc
> Loaded: loaded (/etc/fstab)
> Active: failed (Result: exit-code) since Sun 2014-01-12 07:31:21 EST; 46s ago
> Where: /home/carl/srvc
> What: /home/carl/srv2
> Process: 6554 ExecMount=/bin/mount /home/carl/srv2 /home/carl/srvc -t crypt -o loop,user,noauto,acl,nofail (code=exited, status=1/FAILURE)
>
> Jan 12 07:31:20 PVE-LinuxSRV5 systemd[1]: Mounting /home/carl/srvc…
> Jan 12 07:31:20 PVE-LinuxSRV5 systemd[1]: home-carl-srvc.mount: Directory /home/carl/srvc to mount over is not empty, mounting anyway.
> Jan 12 07:31:20 PVE-LinuxSRV5 mount[6554]: NOTE: mount.crypt does not support utab (systems with no mtab or read-only mtab) yet. Th…ounted.
> Jan 12 07:31:21 PVE-LinuxSRV5 mount[6554]: Password: crypt_activate_by_passphrase: Operation not permitted
> Jan 12 07:31:21 PVE-LinuxSRV5 systemd[1]: home-carl-srvc.mount mount process exited, code=exited status=1
> Jan 12 07:31:21 PVE-LinuxSRV5 systemd[1]: Failed to mount /home/carl/srvc.
> Jan 12 07:31:21 PVE-LinuxSRV5 systemd[1]: Unit home-carl-srvc.mount entered failed state.
> Hint: Some lines were ellipsized, use -l to show in full.
>
> >>>>> It failed - does not support interactive entry of passphrase
> # mount /home/carl/srvc
> NOTE: mount.crypt does not support utab (systems with no mtab or read-only mtab) yet. This means that you will temporarily need to call umount.crypt(8) rather than umount(8) to get crypto volumes unmounted.
> Password:
> >>>>>At this point, after entering the encryption passphrase, the encrypted file system is accessible in Dolphin
>
> >>>>>Below - display some info
> # cat /etc/crypttab
> cr_srv2 /home/carl/srv2 none noauto
> # grep srvc /etc/fstab
> /home/carl/srv2 /home/carl/srvc crypt loop,user,noauto,acl,nofail 0 0
> # grep srvc /etc/mtab
> /dev/mapper/_dev_loop0 /home/carl/srvc ext4 rw,nosuid,nodev,noexec,relatime,data=ordered 0 0
> # systemctl status -l /home/carl/srvc
> home-carl-srvc.mount - /home/carl/srvc
> Loaded: loaded (/etc/fstab)
> Active: active (mounted) (Result: exit-code) since Sun 2014-01-12 07:34:52 EST; 42min ago
> Where: /home/carl/srvc
> What: /dev/mapper/_dev_loop0
> Process: 6554 ExecMount=/bin/mount /home/carl/srv2 /home/carl/srvc -t crypt -o loop,user,noauto,acl,nofail (code=exited, status=1/FAILURE)
> >>>> this error message seems left over from the failed attempt to mount via the service.
> >>>> The current status, mounted, is correct.
>
> --------------------
>
>
> Thanks for the examples and dialog - a worthwhile learning experience.

I don’t have it clear if you managed or not to mount it :-?

If not, I suggest yo do:

/etc/crypttab:


cr_srv2     /home/carl/srv2    none     noauto

which I think it is how you have it. Then, in fstab, have the line:


> /dev/mapper/cr_srv2  /home/carl/srvc  ext4  noauto,nofail,rw,nosuid,nodev,noexec,relatime,data=ordered 1 1

For activation, you need to do:


cryptsetup luksOpen /home/_var_data/data.crf cr_srv2

which will ask for the password. Ad this point, you can use “losetup
-all” and you will see the loop device in existence, even if it is not
declared in the fstab line. Look at mine:


minas-tirith:~ # losetup -all
NAME       SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE
/dev/loop0         0      0         1  0 /home/_var_data/data.crf
minas-tirith:~ #

You can at this point run an fsck on the device, because it already
exists and it is decrypted, appearing at “/dev/mapper/cr_srv2”. See mine:


minas-tirith:~ # file -s /dev/mapper/cr_sysdta
/dev/mapper/cr_sysdta: symbolic link to `../dm-0'
minas-tirith:~ # file -s /dev/dm-0
/dev/dm-0: ReiserFS V3.6
minas-tirith:~ #

I do not show an fsck because you use ext4, and mine is reiserfs.

Ok, the next step is to mount it:


mount /home/carl/srvc
ls /home/carl/srvc

And that’s all. In short, you run:


cryptsetup luksOpen /home/_var_data/data.crf cr_srv2
mount /home/carl/srvc
ls /home/carl/srvc

Note: I add the “ls” line because of the “nofail” option. If, for
whatever reason, the mount fails, the command will not warn of any
error; thus you have to check yourself if it succeeded.

Or, you can simply do like this:


minas-tirith:~ # systemctl start /data/cripta/
Please enter passphrase for disk cr_sysdta on /data/cripta!
********************
minas-tirith:~ # mount | grep cripta
/dev/mapper/cr_sysdta on /data/cripta type reiserfs (rw,noatime)
minas-tirith:~ #

which is a single step. I don’t like it much, so I wrote my own script
to handle several possibilities. One of the options I have is an fsck of
the device. If you are interested, I can upload it somewhere.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

Yes, it did mount and I am using it.

I appreciate your additional info any may shift my long therm usage to follow your methodology.
As always, there is more than one way to get the job done.

On 2014-01-12 17:36, cmcgrath5035 wrote:

> As always, there is more than one way to get the job done.

Oh, absolutely :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)